Date: Fri, 10 Nov 2000 11:52:42 -0800 (PST) From: John Baldwin <jhb@FreeBSD.org> To: Robert Watson <rwatson@FreeBSD.org> Cc: freebsd-security@FreeBSD.org, Aleksey Zvyagin <zal@ping.ru> Subject: Re: About FreeBSD securelevel Message-ID: <XFMail.001110115242.jhb@FreeBSD.org> In-Reply-To: <Pine.NEB.3.96L.1001109230111.54529A-100000@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 10-Nov-00 Robert Watson wrote: > > These are well-known vulnerabilities that have been discussed in detail > previously: it is widely recognized that securelevels are a flawed scheme > that (in effect) attempts to be a subset of a mandatory integrity policy + > some diminished privilege availability. The securelevel(8) man page > should be updated to indicate that it is not supported, and recent commits > to enable the securelevel in sysinstall's higher security profiles should > be reverted. The securelevel functionality is inherited from BSD 4.4lite. We don't have MAC's yet though. If you can provide a replacement for it, then go ahead and axe it, otherwise, I wouldn't kill it yet. When do you expect to be able to replace its functionality? If you will have it in by 5.0, then you can go ahead and say it is deprecated in 5.0 and 4.x now. If not until 6.0, then just say it is deprecated in 5.0 only. Regardless, I wouldn't axe the functionality or the sysinstall hooks until the replacement functionality is committed. -- John Baldwin <jhb@FreeBSD.org> -- http://www.FreeBSD.org/~jhb/ PGP Key: http://www.baldwin.cx/~john/pgpkey.asc "Power Users Use the Power to Serve!" - http://www.FreeBSD.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?XFMail.001110115242.jhb>